1. 首頁
  2. 問答
  3. 驗證PDO準備語句中的password_hash()

驗證PDO準備語句中的password_hash()

2015-03-13 149 views
3

我正在嘗試使用bcrypt算法對密碼進行哈希處理,但我遇到了一些問題。首先,我找不到合適的位置來檢查password_verify()是否返回true。驗證PDO準備語句中的password_hash()

$admin = $_POST['admin-user']; 
$pass = $_POST['admin-pass']; 

$password_hash = password_hash($pass, PASSWORD_BCRYPT); 

if (isset($admin)&&isset($pass)&&!empty($admin)&&!empty($pass)) { 

$admin_select = $link->prepare("SELECT `id` FROM `admins` WHERE `username` = :admin"); 

$admin_passwd = $link->prepare("SELECT `password` FROM `admins` WHERE `username` = :admin_pw"); 
$admin_passwd->execute(array(':admin_pw' => $admin)); 
$admin_pwd = $admin_passwd->fetch(PDO::FETCH_ASSOC); 

    if (password_verify($pass, $admin_pwd)){ 

      if ($admin_select->execute(array(':admin' => $admin))) { 
       $res = $link->query('SELECT COUNT(*) FROM requests'); 
       $query_num_rowz = $res->fetchColumn(); 
      if ($query_num_rowz == 0) { 
       echo 'No records found'; 
      } else if ($query_num_rowz > 0) { 
       $query = $link->prepare("SELECT id FROM admins WHERE username = :admin"); 
       $query->execute(array(':admin' => $admin)); 
       $admin_id = $query->fetch(PDO::FETCH_ASSOC); 
       $_SESSION['admin_id'] = $admin_id; 
       header('Location: index.php'); 
      } 
     } 
    } 
}

其次,我不確定這是選擇用戶密碼的正確方法。

$admin_passwd = $link->prepare("SELECT `password` FROM `admins` WHERE `username` = :admin_pw"); 
$admin_passwd->execute(array(':admin_pw' => $admin)); 
$admin_pwd = $admin_passwd->fetch(PDO::FETCH_ASSOC);

來源

2015-03-13 schmitsz

回答

3

因爲你沒有把->fetch在一個循環中,單個調用將返回關聯數組的單行。您必須首先訪問正確的索引(本例中爲password)。然後將password_verify內部的行值(至少如果已被散列)與用戶輸入進行比較。粗略示例:

if(!empty($_POST['admin-user'] && !empty($_POST['admin-pass']))) { 
    $admin = $_POST['admin-user']; 
    $pass = $_POST['admin-pass']; 

    $admin_info = $link->prepare("SELECT `password` FROM `admins` WHERE `username` = :admin_user"); 
    $admin_info->execute(array(':admin_user' => $admin)); 
    $row = $admin_info->fetch(PDO::FETCH_ASSOC); 

    if(!empty($row)) { 
     // check if the hashed row password 
     if(password_verify($pass, $row['password'])) { 
      // okay 
     } 
    } else { 
     // not found 
    } 
}

來源

2015-03-13 14:40:27 Ghost

+0

+1。如果我爲這樣的課程上課,這會是一個好主意嗎?即具有兩種方法的類別。其中一個用於用戶信息,另一個用於管理員? – schmitsz 2015-03-13 14:44:13

+0

@schmitsz如果它會有利於你使用類然後這樣做,你可能需要重用一些方法,那麼我認爲這將是很好的 – Ghost 2015-03-13 14:46:52

 相關問題

  • 暫無相關問題^_^